Security

Reply
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

ClearPass GUEST with high latency cluster

Hi,

 

I have been working to get our new CPPM server up running. This new server is located in a remote office which has a latency of around 300ms+. It has been joined to our existing cluster.

 

I am curious about the topology of how ClearPass Guest works in this scenario.

We have a captive portal that is being hosted from the CPPM.

The guest network in our remote office is setup to connect back to the publisher ClearPass and not the local subscriber. The registration of the guest accounts all occurs against the publisher. The authentication though occurs against the local subscriber. This is where I am running into issues. It seems that the subsciber node is not able to sync the data in time and I am left with a message stating that the user does not exist in the Guest Repository.

 

I am just curious about what the proper setup is for this scenario? I feel like I am missing the boat when it comes to how the ClearPass Guest should be structured. As well as in general. the latency has presenting challenges I didn't expect.

 

I was thinking that for the Captive Portal configuration instead of pointing it at the CPPM in the local site I would point it to the publisher. Is this the correct way to handle this? Or am I completely out to lunch?

Community Administrator
Posts: 33
Registered: ‎11-01-2012

Re: ClearPass GUEST with high latency cluster

Take a look at the ClearPass Deployment Guide. It has specific recommendations. Check the section on Cluster Design Considerations.

 

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Default.htm#5%20Cluster%20Deployment/Design_guidelines.htm

 

 

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: ClearPass GUEST with high latency cluster

Thank you for your reply.

 

I read over the document.

Everything for the most part makes sense.

we are definitely experiencing issues with the latency.

The way our Guest is setup is correct, but because of the replication delays we run into issues.

 

The geographical zoning configuration sounds like something we may need to implement. However, I do have some concerns about the runtime data that isn't synchronized. The document explicitly mentions that the endpoints db information isn't. We do have users that travel between the locations on regular basis and it would be handy to have this data present in our remote locations.

 

I believe that the major issue is related to the link we have to our remote location. It is very small, well under what is recommended in this document.

 

I will continue to investigate, thank you for this document!

 

Cheers

 

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: ClearPass GUEST with high latency cluster

I was able to overcome the guest latency issue by having the guest authentication sent back to the publisher.

Seems to work as a temporary fix until we address the real issue behind the latency.

 

So much more to learn!

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: ClearPass GUEST with high latency cluster

I was wondering if someone might be able to help with how the Endpoints db works when in a cluster.

 

If an enforcement policy is writing attributes into the Endpoints db for a particular endpoint, where is that actually happening? Is that happening in the subscriber or in the publisher? If the radius request is being handled by a subscriber, does that mean the write is happening in the subscriber?

 

I am a little confused on that point.

Search Airheads
Showing results for 
Search instead for 
Did you mean: